CVE-2024-36894 usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete

2024-05-3015:28:59

Linux

github.com

linux kernel usb ffs race condition aio_cancel deadlock mitigation dwc3-commit b566d38857fc mitigation

AI Score

6.8

Confidence

High

EPSS

Percentile

13.2%

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete

FFS based applications can utilize the aio_cancel() callback to dequeue
pending USB requests submitted to the UDC. There is a scenario where the
FFS application issues an AIO cancel call, while the UDC is handling a
soft disconnect. For a DWC3 based implementation, the callstack looks
like the following:

DWC3 Gadget                               FFS Application

dwc3_gadget_soft_disconnect() …
–> dwc3_stop_active_transfers()
–> dwc3_gadget_giveback(-ESHUTDOWN)
–> ffs_epfile_async_io_complete() ffs_aio_cancel()
–> usb_ep_free_request() –> usb_ep_dequeue()

There is currently no locking implemented between the AIO completion
handler and AIO cancel, so the issue occurs if the completion routine is
running in parallel to an AIO cancel call coming from the FFS application.
As the completion call frees the USB request (io_data->req) the FFS
application is also referencing it for the usb_ep_dequeue() call. This can
lead to accessing a stale/hanging pointer.

commit b566d38857fc (“usb: gadget: f_fs: use io_data->status consistently”)
relocated the usb_ep_free_request() into ffs_epfile_async_io_complete().
However, in order to properly implement locking to mitigate this issue, the
spinlock can’t be added to ffs_epfile_async_io_complete(), as
usb_ep_dequeue() (if successfully dequeuing a USB request) will call the
function driver’s completion handler in the same context. Hence, leading
into a deadlock.

Fix this issue by moving the usb_ep_free_request() back to
ffs_user_copy_worker(), and ensuring that it explicitly sets io_data->req
to NULL after freeing it within the ffs->eps_lock. This resolves the race
condition above, as the ffs_aio_cancel() routine will not continue
attempting to dequeue a request that has already been freed, or the
ffs_user_copy_work() not freeing the USB request until the AIO cancel is
done referencing it.

This fix depends on
commit b566d38857fc (“usb: gadget: f_fs: use io_data->status
consistently”)

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
    ],
    "vendor": "linux",
    "product": "linux_kernel",
    "versions": [
      {
        "status": "affected",
        "version": "2e4c7553cd6f",
        "lessThan": "73c05ad46bb4",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unknown"
  },
  {
    "cpes": [
      "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
    ],
    "vendor": "linux",
    "product": "linux_kernel",
    "versions": [
      {
        "status": "affected",
        "version": "2e4c7553cd6f",
        "lessThan": "d74618308232",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unknown"
  },
  {
    "cpes": [
      "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
    ],
    "vendor": "linux",
    "product": "linux_kernel",
    "versions": [
      {
        "status": "affected",
        "version": "2e4c7553cd6f",
        "lessThan": "24729b307eef",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "2e4c7553cd6f",
        "lessThan": "f71a53148ce3",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "2e4c7553cd6f",
        "lessThan": "9e72ef59cbe6",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "2e4c7553cd6f",
        "lessThan": "e500b1c4e29a",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "2e4c7553cd6f",
        "lessThan": "3613e5023f09",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "2e4c7553cd6f",
        "lessThan": "a0fdccb1c9e0",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "3.15"
      },
      {
        "status": "unaffected",
        "version": "0",
        "lessThan": "3.15",
        "versionType": "custom"
      },
      {
        "status": "unaffected",
        "version": "4.19.317",
        "versionType": "custom",
        "lessThanOrEqual": "4.20"
      },
      {
        "status": "unaffected",
        "version": "5.4.279",
        "versionType": "custom",
        "lessThanOrEqual": "5.5"
      },
      {
        "status": "unaffected",
        "version": "5.10.221",
        "versionType": "custom",
        "lessThanOrEqual": "5.11"
      },
      {
        "status": "unaffected",
        "version": "5.15.162",
        "versionType": "custom",
        "lessThanOrEqual": "5.16"
      },
      {
        "status": "unaffected",
        "version": "6.1.95",
        "versionType": "custom",
        "lessThanOrEqual": "6.2"
      },
      {
        "status": "unaffected",
        "version": "6.6.31",
        "versionType": "custom",
        "lessThanOrEqual": "6.7"
      },
      {
        "status": "unaffected",
        "version": "6.8.10",
        "versionType": "custom",
        "lessThanOrEqual": "6.9"
      },
      {
        "status": "unaffected",
        "version": "6.9",
        "versionType": "custom",
        "lessThanOrEqual": "*"
      }
    ],
    "defaultStatus": "unknown"
  }
]